1 / 48

Distributed Systems CS 15-440

Distributed Systems CS 15-440. Security – Part II Lecture 22, Nov 30, 2011 Majd F. Sakr , Vinay Kolar , Mohammad Hammoud. Today…. Last Sessions Security Introduction, Cryptography Secure Channels: Authorization Today’s session Security Secure Channels:

donagh
Download Presentation

Distributed Systems CS 15-440

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Distributed SystemsCS 15-440 Security – Part II Lecture 22, Nov 30, 2011 Majd F. Sakr, VinayKolar, Mohammad Hammoud

  2. Today… • Last Sessions • Security • Introduction, Cryptography • Secure Channels: Authorization • Today’s session • Security • Secure Channels: • Two Authorization Protocols, Message Integrity and Confidentiality • Access Control and Security Management • Announcement • Virtualization chapter starts from Monday

  3. Overview Today’s lecture

  4. Overview

  5. Types of Mutual Authentication Protocols • Shared Secret Key based Authentication • Authentication using a Key Distribution Center • Authentication using Public-key Cryptography

  6. Types of Mutual Authentication Protocols • Shared Secret Key based Authentication • Authentication Using a Key Distribution Center • Authentication Using Public-key Cryptography

  7. Authentication Using a Key Distribution Center • Shared secret key based authentication is not scalable • Each host has exchange keys with every other host • Complexity: O(N2) • The complexity is reduced by electing one node as “Key Distribution Center” (KDC) • KDC shares a secret-key with every host • No pair of hosts need to share a key • Complexity: O(N)

  8. Basic Model of a KDC based Authentication • We will study a widely used KDC protocol called Needham-Schroeder Authentication Protocol Ticket Alice KDC Bob A,B KA,KDC(KA,B) , KB,KDC(KA,B) A, KB,KDC(KA,B)

  9. Needham-Schroeder Authentication Protocol • A multi-way challenge response protocol What happens if: Nonce is not included in M2? B is not included in M2? RA2 is returned in M4, instead of (RA2-1)? Chuck has an old key KA,B and intercepts M3, and replays M3 at a later point of time to Alice? Nonce: A random number that is used only once Response to Nonce RA1 Ticket Alice KDC M1 Bob RA1 ,A,B M2 KA,KDC(RA1, B, KA,B , KB,KDC(A, KA,B) ) M3 KA,B(RA2), KB,KDC(A,KA,B) M4 KA,B(RA2 -1, RB) M5 KA,B(RB-1)

  10. Types of Mutual Authentication Protocols • Shared Secret Key based Authentication • Authentication using a Key Distribution Center • Authentication using Public-key Cryptography

  11. Authentication Using a Public-Key Cryptography • Recall: • K+N: Public key of user N • K-N: Private key of user N Alice Bob K+B(A, RA) K+A(RA, RB, KA,B ) KA,B (RB)

  12. Overview

  13. Message Integrity and Confidentiality • Encryption is used for providing Confidentiality • But, how to provide Message Integrity? • Encryption protects message modification by third party adversaries • How to protect modification at senders or receivers? What if Alice denies that she sent M1? What if Bob says that he had asked for $500 in M2? Both parties have to keep SIGNED versions of the messages M1 I will buy your horse for $200 Alice Bob M2 OK. Deal. $200

  14. Digital Signatures • The sender and the receiver will keep digitally signed copies of the messages • One way of creating digital signatures is by using RSA Alice’s Computer Bob’s Computer m m m K-A m K-B K+B K-A(m) K-A(m) K+B(m, K-A(m)) Dig. Signed message of A Bob saves the digitally signed message from A

  15. Issues with Naïve Digital Signatures • The validity of the digitally signed message holds as long as A’s private key remains a secret • ‘A’ can claim that her private key was stolen • If ‘A’ changes her private key, the signed message becomes invalid • A centralized authority can keep track of when keys are changed • Encrypting the entire message with private key is costly • RSA is slower, and encryption of long data is not preferred • Any ideas on how to improve?

  16. Digital Signature with Message Digest • Instead of attaching the encrypted message, attach the message digest Alice’s Computer Bob’s Computer m m m m K-B K+B Hash K-A H(m) K-A(H(m)) K-A(H(m)) K+B(m, K-A(H(m))) Bob saves the digitally signed message from A Bob can verify the signature by comparing the hash of received message, and the hash attached in the digitally signed message

  17. Overview

  18. Secure Group Communication • Scenario: Client has to communicate with a group of replicated servers • Replication can be for fault-tolerance or performance improvement • Client expects that the response is secure • Naïve Solution: • Client collects the response from each server • Client authenticates every response • Client takes a majority vote • Drawback of naïve approach • Replicated of servers should be transparent to the client • Reiter et al. proposed a transparent and secure group authentication protocol (Secure Group Authentication Protocol)

  19. Secure Group Authentication Protocol • Problem: Authenticate a group of replicated servers at the client in a transparent way • Main Idea: • Multiple servers share a secret • None of them know the entire secret • Secret can be revealed only if all/most of them cooperate • The approach is similar to k-fault tolerant systems • Tolerate intrusion (faults) of c servers out of N servers if c <= N • We will study the algorithm in two phases: • Generating Shared Secret Signatures • Enhancing transparency

  20. 1. Generating Shared Secret Signatures Parameters: N=5; c=2 • For each client call: • Each server Si returns the response (ri) • In addition, it sends a signed message digest: sig(Si,ri) = K-si( md(ri) ) • For each response, client computes mdc (ri) = H(ri) • Hence, client has N tripletsRi = < ri,mdc(ri), sig(Si,ri)> • Client takes c+1 combinations of triplets • For each combination vector [R, R’ and R’’] • Computes a create a single digest usinga special decryption function D(V) d = D(V) = D(sig(S,r), sig(S’,r’),sig(S’’,r’’)) NOTE: dis a vector of responses • If d[x] = respective mdc(ri), then ri is correct S1 S2 S3 S4 S5 Client r1 sig(S1,r1) r2 sig(S2,r2) Select another combination Hash r3 sig(S3,r3) r4 sig(S4,r4) r5 sig(S5,r5) No d mdc(r1) D(V) d=md(r) mdc(r2) mdc(r3) Yes mdc(r4) r is OK mdc(r5)

  21. 2. Enhancing transparency • Each server broadcasts a message [ri,sig(Si,ri)] to other servers • When the server has received k+1 messages • Compute valid signature D(V) for one combination of responses r • If success, then transmit [V,r] to the client • When client receives a response, it re-verifies the correctness of r

  22. Discussion: Secure Group Authentication Protocol • The protocol can be generalized to (m,n)-threshold scheme • A message is divided into n-pieces (shadows) • m shadows can be used to reconstruct the message • (m-1) or fewer shadows cannot reconstruct • In the above protocol: • m = c+1 = Number of valid signatures required • n = N = Number of replicated servers

  23. Overview

  24. Access Control • Access Control (AC) verifies the access rights of a subject requesting an access to an object • A General model for Access Control • A reference monitor records which subjects may do what • How is Access Control different from Authorization? • Authorization = granting access rights • Access Control = verifying access rights Request an operation Subject Object Authorized request Request an operation Subject Object Reference Monitor

  25. Access Control Matrix • A matrix M that keeps track of which operations can a subject invoke on an object • M [s,o] lists which operations subject s can perform on object o • The reference monitor will look up AC Matrixbefore authorizing the request • Scalability of AC Matrix • For a large DS with many users, most of the entries are empty • Two implementations of AC Matrix: • Access Control Lists • Capabilities Objects Om O1 Subjects S1 S2 Sn

  26. 1. Access Control List • AC Matrix is stored as a list • Similar to how a graph of nodes and edges are stored as an adjacency list Sub 5 Obj 1 Sub 1 Sub x Obj 2 Sub 3 Sub 5 Sub n Obj m Sub 5

  27. 2. Capabilities • AC Matrix can also be decomposed row-wise • Capability for a user is a list of objects and the associated permissions for a given user • The ‘capability’ object can be issued by Reference Monitor to a user, and can reside at the user side • But should be protected (digital signature) Obj 5 Sub 1 Obj 1 Objy

  28. Comparison of ACL and Capabilities • The server is not interested in whether it knows the client • Server should check Capability Using Capabilities Using ACL Create Access Request to Object r as Subject-s. Pass capability C Create Access Request to Object r as Subject-s Obj-r Obj-r ACL (s,r) (s,r) C if (s in ACL && r in ACL) grant access; if (r in C) grant access; Server Client Server Client The server stores the ACL

  29. Protection Domains • Motivation: Access Control using ACL and Capabilities is still not scalable in very large DS • Organizing Permissions: • Object permission is given to a protection domain (PD) • Each PD row consists of (object, permission) pair • User Management: • Group uses into a “protection domain” • Users belong to one or more protection domain • e.g., employees, admin, guests • Before granting the access, check permissionsfrom user’s PDs Objects Om O1 Protection Domains PD1 PD2 PDn PD: Admin PD: Employees PD: Guests A matrix is shown only for representation. Similar to AC Matrix, PD can be implemented using techniques similar to ACL

  30. Hierarchical Protection Domains • Domains can be organized into hierarchical groups • Advantage • Managing group membership is easy • Disadvantage • Looking up for a member is costly • An optimization: • Let each user carry a certificate of all the groups they belong to • Reference monitor validates the certificate (similar to the Capabilities approach) World World Anonymous Emp_SFO Emp_NY Emp_AMS

  31. Overview

  32. Controlling Outsider Attacks • Above discussed schemes are good for preventing against small number of users who belong to a DS • But, what if any user on the Internet can access the resources of DS • Search engines, Sending mails, … • Above approaches are complicated, inefficient and time-consuming when a DS is exposed to the rest-of-the-world • We discuss two coarse grained Access Control schemes • Firewall • Controlling Denial of Service (DoS) attacks

  33. Firewall • Firewall provides access control by regulating the flow of network traffic to/from a LAN • Firewall disconnects any part of the DS from outside world • The internal LANs route packets through Packet Filtering Routers (PFR) and Application Gateway (AG) • Incoming/outgoing packet contents (e.g., src/dest IP) are examined by PFRs • PFRs selectively forward the incoming/outgoing packets to/from AG Connections to the internal network Connections to the external network Packet Filtering Router Packet Filtering Router Application Gateway External LAN Internal LAN

  34. Denial of Service Attacks • Denial of Service (DoS) attacks maliciously prevents authorized processes from accessing the resources • Example: Flood a search server with TCP requests • DoS attacks from a single source can be easily prevented • Triggering DoS attacks from multiple sources (Distributed DoS or DDoS) is hard to detect • Attackers hijack a large group of machines • DDoS is hard to detect

  35. Types of DoS Attacks Two types • Bandwidth Depletion • Send many messages to a server • Normal messages cannot reach the server • Resource Depletion • Trick the server to allocate large amount of resources • Example: TCP SYN flooding • Initiate a lot of TCP connections on server (by sending TCP SYN packets) • Do not close the connections • Each connection request blocks some memory for some time

  36. Preventing DoS Attacks Idea: Detect DDoS by continuously monitoring network traffic at routers Three types: • Monitor at ingress routers: • Monitor incoming traffic for large flow towards a destination • Drawback: Too late to detect since regular traffic is already blocked • Monitor at egress routers: • Monitor traffic when packets leave organization’s network • e.g., Drop packets whose source IP does not belong to the org’s network • Monitor at core internet routers: • Monitor at routers at the core of the Internet Service Providers (ISPs) • e.g., Drop packets when rate of traffic to a specific node is disproportionately larger than the rate of traffic from that node

  37. Overview

  38. Key Management • We have studied how to use keys for authentication and encryption • Examples of key-generation that we studied: • Session key • Generated and distributed by public-private key pair • Public-Private Key • Generated by algorithms. How is it securely distributed? • How to boot-strap secure key generation and distribution in a DS? • There are two main approaches in key management: • Diffie-Hellman Algorithm (For key generation over insecure channels) • Key distribution

  39. Diffie-Hellman Key Generation • Diffie-Hellman algorithm establishes a shared key between two entities across an insecure channel

  40. Diffie-Hellman Algorithm Selects two large numbers n and g with certain mathematical properties Choose a secret number y Choose a secret number x n, g, gx mod n Alice transmits [n, g, gx mod n] y, n, g, gx mod n n, g, gx mod n, gy mod n n, g, x, gx mod n, gy mod n Bob transmits [gy mod n] Alice computes (gymod n)x= gxy mod n Bob computes (gx mod n)y = gxy mod n SHARED SECRET KEY =gxy mod n SHARED SECRET KEY =gxy mod n

  41. Discussion of Diffie-Hellman Algorithm • D-H algorithm can be used in: • Symmetric Cryptosystems • Secret key gxy mod n can be generated between A and B even in the presence of insecure channel • Public-key Cryptosystems • A’s private key = x • A’s public key = gx mod n • But, how to securely distribute public keys?

  42. Key Distribution • Key distribution in Symmetric Cryptosystems • Out-of-band key exchange • Diffie-Hellman algorithm • Complex for a large DS • Key distribution in Public-key Cryptosystems • Main problem: How do we authenticate the entity that transmitted the public key? • We will study an approach called Public-key certificates

  43. Public-key Certificate • In practice, we trust a well-know Certification Authority (CA) • Example of a CA: VeriSign • Public key of CA (K+CA) is well-known • e.g., It is built-in with browsers • How does Bob validate public key of Alice? • Each user (Alice) has a public-key certificatecert(A, K+A) that issued by CA • Bob verifies if the received (A, K+A) matches that in the certificate

  44. High-level Summary of Security Chapter

  45. Summary of “Introductory Concepts” and “Cryptographic Systems”

  46. Summary of “Secure Channels”

  47. Summary of Security Chapter

  48. References • [1]http://en.wikipedia.org/wiki/Cryptography • [2] http://www.cs.colorado.edu/~jrblack/class/csci7000/f03/talks/7000_1.ppt • [3] http://pajhome.org.uk/crypt/rsa/rsa.html • [4] http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

More Related